trouble posting

I’m having trouble posting, hence the reason for the ‘test’
I’ve been hijacked.

I’ve tried to send HJT log, but get bumped off.

The short posts are working.
My problem is, I get tabs/windows opening unexpectedly, Opera 10.6
svchost.exe then goes 99% and have to end process to do anything.
MBAM shows clean
avast show nothing.

HJT log first part:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:13:29 AM, on 7/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

2nd part
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM..\Run: [TP4EX] tp4ex.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM..\Run: [Tphotkey] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Try

DrWeb Cureit http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/
Norman malware Cleaner http://norman.com/support/support_tools/58732/en

If this does not help, then i recomend following Essexboy guide and attach the log`s so he can have a look
http://forum.avast.com/index.php?topic=53253.0

lower left corner: +Additional options > attach > ( MBAM scan log / OTL.Txt and Extras.Txt. )

I suggest you pay a visit to this site as your JAVA is way out of date, so I suspect the same could be true of other applications which leaves you vulnerable to exploit.

You can attach .txt or .log files to your posts rather than have to spread it over many posts.

  • When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt). Also see How to post an Image.

does secunia do the Java too?

It will scan the computer and tell you what programs that are a security risk and need to be updated

Do you think it will fix the problem if I have outdated programs or would I have to send HJT or OTL logs and so on?
I’m ready to seek ‘professional’ help :slight_smile:

Yes it does, which I think would be a given, considering it requires JAVA to run its checks ;D

Secunia doesn’t fix anything, but highlights programs which have security updates to close vulnerabilities in out of date software. There is usually a link in the results for the program site for the various updates, this you can use to download the update and install it.

Whilst installing the updates might not fix the existing problem that is another issue which also has to be resolved. But if you have out of date software that makes it easier to exploit and reinfect your system. So yes you need to post/attach the HJT log. I’m not familiar with the OTL logs, hopefully someone else can look at it.

Well, I updated to the latest java, but secunia won’t run.
‘Secunia software temporarily disabled’.
Argh

Actually did get going and it came up with an old version of java and also said to update flash, and that’s it!

Thanks for all the help and suggestions.
I finally got it sorted out with avast finding things, but the real fix came with a little program called tdsskiller.
It’s from Kapersky, but it worked for me. It found an infected file.

You’re welcome.

TDSS is a rootkit, used to hide malware from system APIs, etc. and can be a bit of a pig to find and remove, so the specialist tool is good for that. The main problem is recognising that you have a TDSS rootkit to use the tool against.

Glad that you have it resolved now though.

jwall, what keeps you from running a 64bit version of windows, current rig or some “special” software you want to run ?

My 'puters are old.
The infection occured on an 8 year old P4 IBM laptop that came with XP Home.
My desktop is almost as old and started life with 98 SE which I upgrade to XP Home.

Thanks again DavidR.

No problem.